From 62842e5ae0bbfe3504b5c6024400a09b2428ad1a Mon Sep 17 00:00:00 2001 From: yuntong Date: Fri, 23 Jan 2015 14:52:42 +0800 Subject: [PATCH] Move policy enforcement into REST API layer for v2.1 api attach_interfaces This patch moves policy enforcement into REST API layer for v2.1 api attach_interfaces, and adds unit tests. Partially implements blueprint v3-api-policy Change-Id: Ia1f9769ab269751249e7765dbedda324c4b972c5 --- .../compute/plugins/v3/attach_interfaces.py | 7 ++- .../compute/contrib/test_attach_interfaces.py | 43 +++++++++++++++++++ 2 files changed, 46 insertions(+), 4 deletions(-) diff --git a/nova/api/openstack/compute/plugins/v3/attach_interfaces.py b/nova/api/openstack/compute/plugins/v3/attach_interfaces.py index 3bca981b7774..6c99ec2daecc 100644 --- a/nova/api/openstack/compute/plugins/v3/attach_interfaces.py +++ b/nova/api/openstack/compute/plugins/v3/attach_interfaces.py @@ -30,8 +30,7 @@ from nova import network ALIAS = 'os-attach-interfaces' -authorize = extensions.extension_authorizer('compute', - 'v3:' + ALIAS) +authorize = extensions.os_compute_authorizer(ALIAS) def _translate_interface_attachment_view(port_info): @@ -49,8 +48,8 @@ class InterfaceAttachmentController(wsgi.Controller): """The interface attachment API controller for the OpenStack API.""" def __init__(self): - self.compute_api = compute.API() - self.network_api = network.API() + self.compute_api = compute.API(skip_policy_check=True) + self.network_api = network.API(skip_policy_check=True) super(InterfaceAttachmentController, self).__init__() @extensions.expected_errors((404, 501)) diff --git a/nova/tests/unit/api/openstack/compute/contrib/test_attach_interfaces.py b/nova/tests/unit/api/openstack/compute/contrib/test_attach_interfaces.py index 7d3b8a8034b0..5fd92a62eb0d 100644 --- a/nova/tests/unit/api/openstack/compute/contrib/test_attach_interfaces.py +++ b/nova/tests/unit/api/openstack/compute/contrib/test_attach_interfaces.py @@ -427,3 +427,46 @@ class InterfaceAttachTestsV2(InterfaceAttachTestsV21): def test_attach_interface_instance_with_non_array_fixed_ips(self): pass + + +class AttachInterfacesPolicyEnforcementv21(test.NoDBTestCase): + + def setUp(self): + super(AttachInterfacesPolicyEnforcementv21, self).setUp() + self.controller = \ + attach_interfaces_v21.InterfaceAttachmentController() + self.req = fakes.HTTPRequest.blank('') + self.rule_name = "compute_extension:v3:os-attach-interfaces" + self.policy.set_rules({self.rule_name: "project:non_fake"}) + + def test_index_attach_interfaces_policy_failed(self): + exc = self.assertRaises( + exception.PolicyNotAuthorized, + self.controller.index, self.req, fakes.FAKE_UUID) + self.assertEqual( + "Policy doesn't allow %s to be performed." % self.rule_name, + exc.format_message()) + + def test_show_attach_interfaces_policy_failed(self): + exc = self.assertRaises( + exception.PolicyNotAuthorized, + self.controller.show, self.req, fakes.FAKE_UUID, FAKE_PORT_ID1) + self.assertEqual( + "Policy doesn't allow %s to be performed." % self.rule_name, + exc.format_message()) + + def test_create_attach_interfaces_policy_failed(self): + exc = self.assertRaises( + exception.PolicyNotAuthorized, + self.controller.create, self.req, fakes.FAKE_UUID, body={}) + self.assertEqual( + "Policy doesn't allow %s to be performed." % self.rule_name, + exc.format_message()) + + def test_delete_attach_interfaces_policy_failed(self): + exc = self.assertRaises( + exception.PolicyNotAuthorized, + self.controller.delete, self.req, fakes.FAKE_UUID, FAKE_PORT_ID1) + self.assertEqual( + "Policy doesn't allow %s to be performed." % self.rule_name, + exc.format_message())